Dorblue
Essential
- Joined
- 28.09.20
- Messages
- 93
- Reaction score
- 258
- Points
- 33
Vulnerabilities allow you to bypass security by using the Linux kernel's support for extended eBPF modules.
image
On Monday, March 29, security researchers revealed two vulnerabilities in Linux distributions that allow you to bypass protection against speculative attacks like Spectre and get confidential information from the kernel memory.
Vulnerabilities CVE-2020-27170 and CVE-2020-27171 (5.5 points out of 10 on the CVSS hazard rating scale) were discovered by Symantec Threat Hunter specialist Peter Krysyuk and affect all versions of the Linux kernel up to 5.11.8. Fixes for Ubuntu, Debian and Red Hat were released on March 20, 2021.
CVE-2020-27170 can be used to retrieve content from anywhere in the kernel memory, and CVE-2020-27171 allows you to retrieve data from the kernel memory in the 4 GB range.
Documented in January 2018, the Spectre and Meltdown vulnerabilities exploit the shortcomings of modern processors to leak data processed on the computer, thereby allowing an attacker to bypass the boundaries between applications implemented in the hardware. In other words, two attacks on third-party channels allowed malicious code to read memory, which it usually does not have permission to do. Worse, the attacks could have been carried out remotely through fraudulent websites with malicious JavaScript code.
Despite the implementation of security measures and the addition of special browser developers to protect against time attacks by reducing the accuracy of time measurement functions, all these measures were taken at the operating system level and were not a solution to the main problem.
The vulnerabilities discovered by Krysyuk allow you to circumvent these measures in Linux by using the kernel's support for extended Berkeley Packet Filters (eBPF) modules to extract the contents of the kernel's memory. Running on vulnerable systems, unprivileged BPF programs can bypass the protection measures against Spectre attacks and speculatively perform a load outside of the allocated memory area without any restrictions.
In particular, it was discovered that the kernel (kernel/bpf/verifier.c) performs unwanted speculations with pointer arithmetic outside of the allocated memory area, thereby eliminating patches for Spectre and making the system vulnerable to third-party attacks.
In a real-world scenario, unprivileged users can exploit these vulnerabilities to gain access to sensitive data from other users of the same vulnerable computer.
Vulnerabilities can also be exploited if an attacker is previously able to gain access to the attacked system, for example, by downloading malware to it for remote access. In this case, the attacker can gain access to all user profiles on the system.
image
On Monday, March 29, security researchers revealed two vulnerabilities in Linux distributions that allow you to bypass protection against speculative attacks like Spectre and get confidential information from the kernel memory.
Vulnerabilities CVE-2020-27170 and CVE-2020-27171 (5.5 points out of 10 on the CVSS hazard rating scale) were discovered by Symantec Threat Hunter specialist Peter Krysyuk and affect all versions of the Linux kernel up to 5.11.8. Fixes for Ubuntu, Debian and Red Hat were released on March 20, 2021.
CVE-2020-27170 can be used to retrieve content from anywhere in the kernel memory, and CVE-2020-27171 allows you to retrieve data from the kernel memory in the 4 GB range.
Documented in January 2018, the Spectre and Meltdown vulnerabilities exploit the shortcomings of modern processors to leak data processed on the computer, thereby allowing an attacker to bypass the boundaries between applications implemented in the hardware. In other words, two attacks on third-party channels allowed malicious code to read memory, which it usually does not have permission to do. Worse, the attacks could have been carried out remotely through fraudulent websites with malicious JavaScript code.
Despite the implementation of security measures and the addition of special browser developers to protect against time attacks by reducing the accuracy of time measurement functions, all these measures were taken at the operating system level and were not a solution to the main problem.
The vulnerabilities discovered by Krysyuk allow you to circumvent these measures in Linux by using the kernel's support for extended Berkeley Packet Filters (eBPF) modules to extract the contents of the kernel's memory. Running on vulnerable systems, unprivileged BPF programs can bypass the protection measures against Spectre attacks and speculatively perform a load outside of the allocated memory area without any restrictions.
In particular, it was discovered that the kernel (kernel/bpf/verifier.c) performs unwanted speculations with pointer arithmetic outside of the allocated memory area, thereby eliminating patches for Spectre and making the system vulnerable to third-party attacks.
In a real-world scenario, unprivileged users can exploit these vulnerabilities to gain access to sensitive data from other users of the same vulnerable computer.
Vulnerabilities can also be exploited if an attacker is previously able to gain access to the attacked system, for example, by downloading malware to it for remote access. In this case, the attacker can gain access to all user profiles on the system.